Providing unseal keys to KMS service

Content Platform for Cloud Scale Administration Guide

Version
2.6.x
File Size
1950 KB
Audience
anonymous
Part Number
MK-HCPCS008-11

When internal encryption is enabled for a HCP for cloud scale system, the Key Management System service provides key encryption keys for storage components. If the service restarts, the vault is sealed and stored objects can't be decrypted. If the vault becomes sealed, you must provide a quorum of unseal keys (three of the five provided when encryption was first enabled) to reopen the vault and resume encryption and decryption.

Important: Don't try to initialize the vault manually outside of HCP for cloud scale. Doing so results in data loss.
  1. From the Object Storage Management application, select Settings > Encryption.
    The ENCRYPTION page opens.
  2. In the UNSEAL VAULT INSTANCES section, enter the first unseal key into the Unseal key 1 field.
    The key is validated. You can't leave the field blank.
  3. Enter a second unseal key into the Unseal key 2 field.
    The key is validated. You can't leave the field blank. Each key must be different.
  4. Enter a third unseal key into the Unseal key 3 field.
    The key is validated. You can't leave the field blank. Each key must be different.
  5. Click Unseal vault.
The vault is unsealed.